Europe calling Is Resilience Within Reach?

Have you heard of the Cyber Resilience Act? It’s a European regulation on the security of digital products throughout their lifecycle. The Commission’s proposal will be published in the coming weeks. It is, however, possible to tag key elements so that we can keep a close eye on them, whether in the proposal’s text or in the coming amendments. The regulation is ambitious in tackling relatively complex technical levels. It would be a shame to reinvent the wheel.

Why this text?

The Commission regrets the lack of sufficient security guarantees from manufacturers and retailers. Furthermore, it notes there are few adequate solutions to the vulnerabilities affecting these products, throughout their lifecycles. As for information given to users in regard to security levels, there is none. The analogy that comes to mind is simple. Imagine food shopping and buying goods that have no lists of ingredients, no allergy warnings and no use-by date. Unthinkable, isn’t it?

Yet here we are. The Cyber Resilience Act intends to provide answers in the form of requirements for all the players in the digital product’s value chain. The text’s ambition is therefore to promote more security and better transparency of security levels for users. In short, if you know how, say so. The expected consequences are positive. On the economic front, for one, through strengthening the trust in the digital economy, and on issues of compliance, secondly, through a decrease in compliance costs by standardizing requirements on the European single market. Considering the stakes at hand, expectations are massive: let’s talk about them to prepare the analysis and responses.

Unresolved questions: scope, lifecycle, vulnerabilities…

As the text has yet to be published, conducting an in-depth analysis is difficult. I’m therefore relying on the preparatory work to which I was privy, along with the analysis of the questions and answers to the public consultation and other published positions.

First of all, the scope. The anticipated title of the Cyber Resilience Act is “Regulation on horizontal cybersecurity requirements for digital products and ancillary services”. Preparatory work thus defines digital products as “hardware and software”, and an “ancillary service” as a (digital) service without which the hardware cannot function as intended.

This is all well and good. However, the challenges in terms of security aren’t the same whether we’re talking about a connected object, all the components involved or its corresponding mobile app. Some remarks during the preparatory work and other responses to the consultation placed a heavy emphasis on ridding the text of the “software” part and keeping only the “material” and “components” parts. Others went further, in that they analyzed the definitions of “software” in various European texts, insisting on a standard definition in order to avoid more regulatory entropy. The same goes for product categories. The direction we’re headed is that specific requirements apply to specific product categories. This makes sense, although we are unsure of the categories: B2B or B2C products? What are the security levels for these overarching categories? And what of the situation in which a product belongs to both categories? Think of drones, GPS trackers, connected door locks and flowerpots and what have you…

Secondly, the lifecycle concept. In this matter, the Permanent Representation of the Netherlands to the EU argued in favor of fully covering the lifecycle, from design to end of life. This is logical, but the devil is in the details: hardware and software specificities often differ. Yet we do not have a clear and unified framework of what constitutes a digital product’s lifecycle on a European level. No operational conditions framework, no accountability framework. This aspect is essential: B2B products do not have the same accountability interactions between users/customers and manufacturers as B2C products do. And when we take into account the end of life concept, we enter a disaster zone.

Beyond the need to specify what a lifecycle encompasses, it is important to see to harmonizing what exists in terms of norms, standards, tech community good practice etc., on a national, European and international level. This is essential in avoiding regulatory entropy and unwanted side effects. For instance, a European manufacturer exporting his products to Asia or North America could be hindered by an overly exhaustive text. On the other hand, non-EU providers that are vital to the value chain could be driven away without being replaced. This harmonization must include adherence to the CyberAct, the EU certification schemes’ daunting regulation.

In line with these considerations come legal questions about non-personal data compromise. There is no such framework on an EU level. The NIS2 Directive provides relevant elements but only for covered entities. Therefore how do we manage accountability in cases of strategic data leaks, most often in a cross-border context?

Finally, the major issue of managing vulnerabilities. This is always a matter of roles and liabilities, which brings up subjects of coordination, cure periods and costs. Some contributors thus argue the text should not impose a cure period, no matter the criticality of the vulnerability, in favor of an overly complex coordination. Is this feasible in a world where there are myriad identification offers, but where cure periods are increasingly longer due to a lack of resources? These delays are a godsend for ransomware gangs and other cyber-offenders who have dropped phishing emails for more promising venues such as exploiting unpatched vulnerabilities. Yours truly is in favor of a mandatory reasonable cure period, as was already made clear in works around the Paris Call international standards. This commitment is not necessarily acceptable to users: on an operational level, it implies ever-increasing resources to keep our head above the water

The question then remains. In a world where we’re all someone’s end-user, who is responsible for the insecurity of digital products? How do we convince manufacturers and retailers to protect us? The Cyber Resilience Act is part of the answer.